urelas | 5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951a

General

Target

5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
Size

335KB
MD5

e387dd59054bfa8f949f413d4ce86540
SHA1

074d75500079b781a8e703eb50e9c96b068415e3
SHA256

5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951a
SHA512

1c607c72d6cc2223159e3034abc2e4fecf58c49b2414a9bc20f19ac257e213c27f273bb13eb5e78ee51e15fcb503f3a983dccb3bb82a8ddb96d348e500cf3bb0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRa:vHW138/iXWlK885rKlGSekcj66ci2Y

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	koniy.exe

Executes dropped EXE 2 IoCs

pid	Process
4484	koniy.exe
920	mupeo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koniy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mupeo.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe
920	mupeo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4484	2228	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	82
PID 2228 wrote to memory of 4484	2228	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	82
PID 2228 wrote to memory of 4484	2228	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	82
PID 2228 wrote to memory of 3740	2228	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	83
PID 2228 wrote to memory of 3740	2228	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	83
PID 2228 wrote to memory of 3740	2228	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	83
PID 4484 wrote to memory of 920	4484	koniy.exe	94
PID 4484 wrote to memory of 920	4484	koniy.exe	94
PID 4484 wrote to memory of 920	4484	koniy.exe	94

C:\Users\Admin\AppData\Local\Temp\5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
"C:\Users\Admin\AppData\Local\Temp\5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\koniy.exe
  "C:\Users\Admin\AppData\Local\Temp\koniy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\mupeo.exe
    "C:\Users\Admin\AppData\Local\Temp\mupeo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
bfe54d6fcffe988ce34ac3be8081d537

SHA1
5b140faf2d082ab6be8cfa3d52d8860f1509e773

SHA256
dcade3073e76d7bf2f873821fbadcb40e8e1f27bff9d8a44f9fc685a7d512a46

SHA512
4b0b8e91dfa613faa00e7aa2669ef5391f47df9046af4757c31fa16a4e21e62b5670e979f96ce1316f7fa174b5ceb0e60c23bed8f9eb71045dc3bad1e11b9149

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e011f995b5326127666c216813a3a1b8

SHA1
65a3d391509b8497d9e393f1ad71233193d0d8de

SHA256
f98d39f31b108c18d5f0438a4afcd060339410e492efe0d20946794f447f6539

SHA512
39bc6455d975b7856501bcba1ff040919daf94ba8a6fde9920948ecea2f67f322cacaddbfec02089c8da691966a686287202454840d7a32797f7cd3dc6ab78d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\koniy.exe

Filesize
335KB

MD5
5c29840ad17531a2f2bfb63fdf045a98

SHA1
c4a0726b010e7c693c7c4f75d92f0cb0e86b78ea

SHA256
bc51810ec9ece88616ff18294a34af162501e8442d93a300bc90a7be679f6404

SHA512
40f54f264d6045774478d422aec3bca960903ad74f5a2ec70fac22ceb339ef151cb80e8fe86a29d8cceceb17cc7531564fddce41a6aff53e3cdd99038f0dfe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\mupeo.exe

Filesize
172KB

MD5
a1ce972977e649f60bb132040bbe7fbe

SHA1
a10150ba6d3f0bdbfa8fe7f1d8fb95217563dd31

SHA256
3c1c3169cbfb14f80d9ef9f3a1fb83fd46cb74c5bd4237eb4e299e938c43f1a2

SHA512
bf1b586da6b58db5646b988919fc77abc747053c9fbabae7787fab435f54c80d84d28be19fdb940c691966eaf68f47da5df15ac91a07909fe060ff10fdca8be6

Download Submit
memory/920-48-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/920-38-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/920-46-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/920-47-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/920-42-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/920-39-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/2228-17-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/2228-0-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/2228-1-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4484-14-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/4484-41-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/4484-21-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/4484-20-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/4484-11-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing